avfilter/vf_showinfo: check sd->size before reference the sd->data

Or it'll cause null pointer dereference if size < sizeof(uint32_t), also
in case tc[0] > 3, the code will report error directly.

Signed-off-by: Limin Wang <lance.lmwang@gmail.com>

diff --git a/libavfilter/vf_showinfo.c b/libavfilter/vf_showinfo.c
index d7ee677c6895bc9398fd0dd586659b6246f354bf..1634f68a784c3296fc3d30cb255df78918183dbe 100644 (file)
--- a/libavfilter/vf_showinfo.c
+++ b/libavfilter/vf_showinfo.c
@@ -365,15 +365,15 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame)
             break;
         case AV_FRAME_DATA_S12M_TIMECODE: {
             uint32_t *tc = (uint32_t*)sd->data;
-            int m = FFMIN(tc[0],3);
-            if (sd->size != 16) {
+
+            if ((sd->size != sizeof(uint32_t) * 4) || (tc[0] > 3)) {
                 av_log(ctx, AV_LOG_ERROR, "invalid data\n");
                 break;
             }
-            for (int j = 1; j <= m; j++) {
+            for (int j = 1; j <= tc[0]; j++) {
                 char tcbuf[AV_TIMECODE_STR_SIZE];
                 av_timecode_make_smpte_tc_string(tcbuf, tc[j], 0);
-                av_log(ctx, AV_LOG_INFO, "timecode - %s%s", tcbuf, j != m ? ", " : "");
+                av_log(ctx, AV_LOG_INFO, "timecode - %s%s", tcbuf, j != tc[0] ? ", " : "");
             }
             break;
         }